malwarewikiaorg-20200223-history
BOK
BOK is a ransomware that runs on Microsoft Windows. It is aimed at English-speaking and Russian-speaking users. Payload Transmission BOK is distributed through corrupted email attachments. These email messages will often use corrupted scripts to download and install BOK on the victim's computer. Infection Once on the victim's computer, BOK will search for the following file types, encrypting them with a strong encryption algorithm that is impossible to decipher without the decryption key: .7zip, .aac, .accdb, .accde, .accdr. .accdt, .ach, .acr. .act, .adb, .adp, .ads, .aes, .agdl, .aiff, .ait, .aoi, .apj, .apk, .ARC, .arw, .asc, .asf, .asm, .asp, .aspx,.asset, .asx, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bat, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .brd, .bsa, .cdf, .cdr, .cdr3, .cdr4,.cdr5, .cdr6, .cdrw, .cdx, .cer, .cfg, .cgm, .cib, .class, .cmd, .cmt, .config, .contact, .cpi, .cpp, .craw, .crt, .crw, .csh, .csl, .csr, .csv, .CSV, .d3dbsp, .dac, .das, .dat, .dbf, .dbjournal, .dbx, .dch, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der. .des, .design, .dgc, .dif, .dip, .djv. .djvu. .dng. .doc, .dlt,.DOC, .docb, .docm, .docx, .dot, .DOT, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .els, .eml, .eps, .erbsql. .erf, .ess, .exf, .fdb, .ffd, .fff, .fhd, .fit, .fla, .flac, .flv, .flvv, .forge, .fpx, .frm, .fxg, .gif, .gpg, .gray, .grey, .groups, .gry, .hbk, .hdd, .hpp, .html, .hwp, .Iay6, .ibank, .ibd, .Ibf, .ibz, .Idf, .idx, .iif, .iiq, .incpas, .indd, .Itx, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .kdbx, .kdc, .key .kpdx, .kwm, .laccdb, .lay, .lit, .litemod, .litesql, .log, .lua, .m2ts, .mapimail, .max, .mbx,.mdb, .mdc, .mdf, .mef, .mfw, .mid, .mkv, .mlb, .mml, .mmw, .mny, .moneywell, .mos, .mov, .mpeg, .mpg, .mrw, .ms11, .msg, .myd, .MYD,.MYI, .ndd, .ndf, .nef, .NEF, .nop, .nrw, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nxl, .nyf, .oab, .obj, .odb, .ode, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil,.onetoc2, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .pab, .pages, .PAQ, .pas, .pat, .pcd, .pdb, .pdd, .pdf, .pef, .pem, .pet, .pfx, .php, .pic, .pif, .plus muhd, .png,.pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .PPT, .pptm, .pptx, .prf, .psafeS. .psd, .pspimage, .pst, .ptx, .pwm, .qba, .qbb, .qbm, .qbr, .qbw, .qbx,.qby, .qcow, .qcow2, .qed, .raf, .rar, .rat, .raw, .rdb, .rtf, .RTF. .rvt, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sch, .sda, .sdf, .sldm, .sldx, .slk, .zip. It then displays the following text: !!! IMPORTANT INFORMATION!!!! the BOK Ransomware All of your files are encrypted RSA-2048 AES-128 ciphers. More information about the RSA AES can be found here: http://en.wikipedia.org/wiki/RSA (cryptosystem) http://en.wikipedia.org/wiki/Advanced Encryption Standard Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server. To receive your private key follow one of the links: https://"$sitedomain1".tor2web.org/"$Personalid" http://"$sitedomain1".onion.to/"$Personalid" https://"$sitedomain2".tor2web.org/"$Personalid" http://"$sitedomain2".onion.to/"$Personalid" If all of this addresses are not available, follow these steps: 1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html 2. After a successful installation, run the browser and wait for initialisation. 3. Type in the address bar: "$sitedomain1".onion/"$Personalid" or "$sitedomain2".onion/"$Personalid" 4. Follow the instructions on the site. !!! Your personal identification ID: "$Personalid"!!! Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan